Threat intelligence may be trending in security these days, but there's a danger of complacency, according to Ron Gula, CEO of Tenable Network Security.
"The good guys have always been accused of not sharing data, so the fact that we're sharing data now is a good thing," Gula said in this interview recorded at the 2015 RSA Conference. SearchSecurity editorial director Robert Richardson sat down with Gula to discuss recent trends in security and how Gula viewed them. "I just don't want people to take a short cut and feel like if they don't have indicators on their network, that they're somehow secure."
Richardson also asked Gula about how the Internet of Things was likely to impact enterprise security. Gula said the exponential growth in devices on the Internet wasn't news in and of itself. "What is new though, is [how you deal with it] if you're an enterprise."
In Gula's view, shadow IT is the thin end of the wedge of IoT. "Organizations are just now beginning to deal with shadow IT, so we've got bring your own device, we've got bring your own cloud, but we also have people going out and procuring things outside of IT. It's very common for business and marketing people to stand up services on Salesforce and Marketo and certain cloud-based applications. The Internet of Things adds everything to it.
"What I really believe is that we need to get back to the basics. We need to discover 100% of all the assets on our networks -- whether they're in the cloud, whether they're mobile, or if they're traditional Linux and Windows servers -- and we need to do a security assessment on every one of these, and we need to present that to our boards of directors, to our CEO's and our IT security people so they can take the best action to mitigate the most risk."
Transcript - Gula talks basics for Internet of Things security
Robert: Hi, I'm Robert Richardson. I'm the Editorial Director of SearchSecurity.com, and I'm very pleased to have with me Ron Gula, who's co-founder and the CEO of Tenable. Tenable's been doing lots of interesting things, but I don't want to talk about them. Not right now, anyway. I want to get your sense of what's going on in the big frame of reference in security because I know you've looked at security for a long time. I know one thing that you're thinking these days is that the threat intelligence mania is a little overblown. Is that fair?
Ron: It's still useful because the good guys have always been accused of not sharing data. So the fact that we're sharing data now is a good thing. I just don't want people to take a shortcut and feel that if they don't have indicators on their network, that they're somehow secure.
Robert: Another thing that's going on in the world is this big mess called Internet of Things. It appears to be real, and there are definitely people thinking that there are security issues. What's your take on the Internet of Things?
Ron: So there's a tremendous increase in the number of devices on the Internet. That's not really news to anybody, right?
Robert: Right, that's just the Internet. Right?
Ron: That's right. What is new though, if you're an organization, if you're an enterprise, how do you deal with it? And organizations right now are just starting to deal with shadow IT, right? So we've got bring your own device. We've got bring your own cloud. But we also have people going out and procuring things outside of IT. It's very common for business and marketing people to stand up services on Salesforce, and Marketo, and certain cloud-based applications. Internet of Things adds everything to it. I've seen organizations being victimized because their SCADA systems for their buildings were somehow plugged into their network, perhaps VPN access was given to third-party vendors providing public legitimate business service, but outside of the purview of the enterprise. And what I really believe is that we need to get back towards the basics. Right? We need to discover 100% of all the assets on our network, whether they're in the cloud, whether they're mobile, or they're traditionally on Linux and Windows servers. We need to do a security assessment on every one of those, and then we need to present that in a fashion to our boards of directors, our CEOs, and our IT security people so they can take the best action to mitigate the most risk.
Robert: So you talked about VPN access for third parties and that sort of thing, which leads me to think about micro-segmentation of networks and software-defined networking. In some respects, it seems like that would solve a lot of the things that we've used, cumbersome mechanisms to deal with. Is that your sense as well?
Ron: Yeah, a secure network design is a fundamental component of every regulatory compliance: the NIST framework, PCI, and whatnot, and it's just good network design. The problem is that people don't realize that networks change. People get added to the network. Partners get added. And unless they're looking for that secure network design continuously, they're going to be surprised the first time they see a VPN connection to a third-party.
Robert: It's hard to imagine how that could result in problems, right?
Ron: It happens every day. Vendor risk management is actually a big deal that Tenable tracks. And just trying to identify which resources are connecting to who is a huge thing of what we do in our security center, a continuous view product.
Robert: That's interesting. I didn't realize that. Any other parting thoughts or broad thoughts about the industry at this point?
Ron: So because things are so complex, it's so easy to pigeonhole yourself looking for threats in certain parts of your network. We really want people to remember that if they're doing security, they need to have a very simple and clear message to their senior management. I like to think of it that we're really the Fitbit for enterprise security. We need to tell people something that they don't know, right? They might think they're getting enough sleep and enough exercise, but they're really not until you measure it. It's the same thing with enterprise security. They need to measure all aspects of security, trend them, look for leading indicators of problems, and then take action.
Robert: Makes sense, and it sounds healthy, too. Ron, thanks so much for joining us. It's Ron Gula, CEO of Tenable, and I'm Robert Richardson, the editorial director at SearchSecurity.com. Thanks for joining.